Bullguard Antivirus Forum Download A Free Copy Of Bullguard Antivirus Software
Free Antivirus Forum - Learn about antivirus, firewalls and personal security Free Antivirus Forum - Learn about antivirus, firewalls and personal security
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Help spyware tojan problems
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > Help spyware tojan problems  
Forum Quick Jump
 
New Topic Locked Topic Printable version of : Help spyware tojan problems
[ << Previous Thread | Next Thread >> ]

tdrndm
New Member


Date Joined Sep 2008
Total Posts : 4
  		   Posted 9-6-2008 10:35 (GMT +1)    Quote: Help spyware tojan problemsAlert an admin about: Help spyware tojan problems
Computer locking up and acting strange. Avast and Super spyware seemed to clean up msantivirus 2008. Problems again. Avast picking up many win32:trojan gen files. I have a hijack this log. System restore off and all start up programs enabled.
Thanks for any help ... driving me crazy!

File Attachment :
hijackthis.log - normal start.txt   14KB (application/octet-stream)
This file has been downloaded 64 time(s).
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 13594
  		   Posted 9-7-2008 5:51 (GMT +1)    Quote: Help spyware tojan problemsAlert an admin about: Help spyware tojan problems
Hello cool
 
 
Download HostsExpert: http://www.majorgeeks.com/Hoster_d4626.html

Choose one of the servers at Majorgeeks....save the file on your desktop


  • Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
  • Run HostsXpert 4.2 - Hosts File Manager from its new home
  • Click on "File Handling".
  • Click on "Restore MS Hosts File".
  • Click OK on the Confirmation box.
  • Click on "Make Read Only?"
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Please download Malwarebytes' Anti-Malware:
http://www.spywarefri.dk/downloads1/mbam-setup.exe
 
Or here:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968
 
 to your desktop.
 
Double-click mbam-setup.exe and follow the prompts to install the program.
                     
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch


Malwarebytes' Anti-Malware, then click Finish.
                     
If an update is found, it will download and install the latest version.
                     
Once the program has loaded, select Perform full scan, then click Scan.
                     
When the scan is complete, click OK, then Show Results to view the results.
 
Be sure that everything is checked, and click Remove Selected.
 
When completed, a log will open in Notepad. Please save it to a convenient location.
 
Copy and Paste that log into your next reply, along with fresh hijackthis log.
 
 
NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
 
 
Please copy and paste your log´s. DO NOT add them as an attachment

Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.

Back to Top
 

tdrndm
New Member


Date Joined Sep 2008
Total Posts : 4
  		   Posted 9-7-2008 3:41 (GMT +1)    Quote: Help spyware tojan problemsAlert an admin about: Help spyware tojan problems
Thanks so much! Copy of logs:

Malwarebytes' Anti-Malware 1.24
Database version: 1012
Windows 5.1.2600 Service Pack 3

9:21:13 AM 07/09/2008
mbam-log-9-7-2008 (09-21-13).txt

Scan type: Full Scan (C:\|)
Objects scanned: 178147
Time elapsed: 48 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 37
Files Infected: 86

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhct6jj0ec2j (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhct6jj0ec2j (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (76477-OEM-0053114-34058) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\USER\Application Data\Starware343 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\BrowserSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Configurator (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\ErrorSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Games (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Layouts (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Manager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Maps (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Movies (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Reference (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\RelatedSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\ScreensaversMarketingSitePager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\SearchAssistPlus (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\SearchMatch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Toolbar (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\ToolbarLogo (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\ToolbarSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\TravelSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Weather (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\contexts (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\Games (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\Games\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\Games\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\Games\images\default (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\Movies (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\Movies\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\Movies\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\Movies\images\default (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\ScreensaversMarketingSitePager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\ScreensaversMarketingSitePager\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\ScreensaversMarketingSitePager\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\ScreensaversMarketingSitePager\images\default (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\SimpleUpdate (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Desroches\Application Data\Microsoft\dtsc (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Bob Desroches\Local Settings\Temp\x1.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Desroches\Local Settings\Temp\x2.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Desroches\Local Settings\Temp\x3.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Desroches\Local Settings\Temp\x4.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Local Settings\Temp\GLK14.tmp (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Local Settings\Temp\GLK1F.tmp (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Local Settings\Temp\GLK40.tmp (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Local Settings\Temp\GLK48.tmp (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\BrowserSearch\BrowserSearch.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\BrowserSearch\BrowserSearch.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Configurator\Configurator.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Configurator\Configurator.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\ErrorSearch\ErrorSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\ErrorSearch\ErrorSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Games\GamesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Games\GamesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Layouts\ToolbarLayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Layouts\ToolbarLayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Manager\ManagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Manager\ManagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Maps\MapsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Maps\MapsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Movies\MoviesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Movies\MoviesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Reference\ReferenceOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Reference\ReferenceOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\RelatedSearch\RelatedSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\RelatedSearch\RelatedSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\SearchAssistPlus\SearchAssistPlusOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\SearchAssistPlus\SearchAssistPlusOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\SearchMatch\SearchMatchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\SearchMatch\SearchMatchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Toolbar\TBProductsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Toolbar\TBProductsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\ToolbarLogo\ToolbarLogoOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\ToolbarLogo\ToolbarLogoOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\ToolbarSearch\ToolbarSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\ToolbarSearch\ToolbarSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\TravelSearch\TravelSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\TravelSearch\TravelSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Weather\AlertArchive.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Weather\WeatherOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\USER\Application Data\Starware343\Weather\WeatherOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\FindIt.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\FindItHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\findithotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\finditxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\Highlight.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\HighlightHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\highlighthotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\highlightxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\logo.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\logoxp.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\maps.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\maps_over.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\Reference.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\ReferenceHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\referencehotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\referencexp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\Weather.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\weatherhotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\weatherxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\contexts\error.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\contexts\related.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\contexts\travel.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\Games\images\active\Games0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\images\walertXP.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\Movies\images\active\Movies0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\SimpleUpdate\ProductMessagingConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\SimpleUpdate\ProductMessagingConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\SimpleUpdate\SimpleUpdateConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\SimpleUpdate\SimpleUpdateConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\SimpleUpdate\TimerManagerConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\SimpleUpdate\TimerManagerConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Desroches\Application Data\Microsoft\dtsc\s (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Desroches\Application Data\Microsoft\dtsc\Xilisoft.3GP.Video.Converter.2.x-KeyGen-CiM.torrent (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Desroches\Application Data\Microsoft\dtsc\Xilisoft.3GP.Video.Converter.2.x-KeyGen-CiM.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Desroches\Application Data\TmpRecentIcons\VirusRemover2008.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Desroches\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Desroches\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Desroches\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Desroches\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob Desroches\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26 AM, on 07/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\DOCUME~1\BOBDES~1\LOCALS~1\Temp\version.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\DOCUME~1\BOBDES~1\LOCALS~1\Temp\version.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: P2P Energy Toolbar - {2bae58c2-79f9-45d1-a286-81f911301c3a} - C:\Program Files\P2P_Energy\tbP2P_.dll
O2 - BHO: P2P Energy Toolbar - {2bae58c2-79f9-45d1-a286-81f911301c3a} - C:\Program Files\P2P_Energy\tbP2P_.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: P2P Energy Toolbar - {2bae58c2-79f9-45d1-a286-81f911301c3a} - C:\Program Files\P2P_Energy\tbP2P_.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE"
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [msoffice] C:\DOCUME~1\BOBDES~1\LOCALS~1\Temp\version.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\MSA\MSA.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [msoffice] C:\DOCUME~1\BOBDES~1\LOCALS~1\Temp\version.exe
O4 - Startup: Event Minder Reminders.lnk = C:\HALLMARK\EMREMIND.EXE
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Copy to &Lightning Note - C:\Program Files\Corel\WordPerfect Lightning\Programs\WPLightningCopyToNote.hta
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Treasure%20Masters,%20Inc/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Ancient%20Quest%20of%20Saqqarah/Images/armhelper.ocx
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: rqbmvpso - {6D654746-CC72-4002-B469-3ABD7DEF7777} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\NitroPDF5\bepldr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 9645 bytes
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 13594
  		   Posted 9-9-2008 5:00 (GMT +1)    Quote: Help spyware tojan problemsAlert an admin about: Help spyware tojan problems
You´ve certainly got rid of some crap there scool
 
 
Please download Combofix:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
 
 
And save to the desktop.

Close all other browser windows.
 
 
 
 
Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".
 
 
Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.
 
Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

 When finished, it will produce a logfile located at C:\combofix.txt.
 

Post the contents of that log in your next reply

Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.

Back to Top
 

tdrndm
New Member


Date Joined Sep 2008
Total Posts : 4
  		   Posted 9-9-2008 8:22 (GMT +1)    Quote: Help spyware tojan problemsAlert an admin about: Help spyware tojan problems
Thanks Touch! Copy of ComboFix log:

ComboFix 08-09-05.02 - Bob Desroches 2008-09-09 2:03:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.108 [GMT -5:00]
Running from: C:\Documents and Settings\Bob Desroches\Desktop\ComboFix.exe
Command switches used :: /snapshot
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Bob Desroches\Application Data\Adobe\crc.dat
C:\Documents and Settings\Bob Desroches\Application Data\inst.exe
C:\WINDOWS\system32\ooqtvyay.ini
C:\WINDOWS\system32\ooqtvyay.ini2
C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssservers.dat

----- BITS: Possible infected sites -----

http://pornotube8.net
http://hqsextube08.com
.
((((((((((((((((((((((((( Files Created from 2008-08-09 to 2008-09-09 )))))))))))))))))))))))))))))))
.

2008-09-07 08:28 . 2008-09-07 08:28 <DIR> d-------- C:\Malwarebytes' Anti-Malware
2008-09-07 08:28 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-07 08:28 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-07 08:24 . 2008-09-07 08:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-07 08:24 . 2008-09-07 08:24 <DIR> d-------- C:\Documents and Settings\Bob Desroches\Application Data\Malwarebytes
2008-09-07 08:24 . 2008-09-07 08:24 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-09-07 08:22 . 2008-09-07 08:22 <DIR> d-------- C:\HostsXpert
2008-09-06 08:22 . 2008-09-06 08:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-05 15:51 . 2008-09-05 15:51 <DIR> d-------- C:\Documents and Settings\Administrator.BOB\Application Data\SUPERAntiSpyware.com
2008-09-03 14:09 . 2008-09-03 14:09 12,288 --a------ C:\WINDOWS\system32\tdssserf.dll
2008-09-03 14:02 . 2008-09-03 04:31 143,360 --a------ C:\WINDOWS\sxmaokgf.exe
2008-09-03 10:54 . 1996-01-05 07:33 973,584 --a------ C:\WINDOWS\system32\msjt3032.dll
2008-09-03 10:54 . 1996-01-05 10:45 245,520 --a------ C:\WINDOWS\system32\MSRD2X32.dll
2008-09-03 10:54 . 1996-01-24 10:27 244,496 --a------ C:\WINDOWS\system32\vbar2232.dll
2008-09-03 10:54 . 1996-01-05 10:45 98,356 --a------ C:\WINDOWS\system32\msjter32.dll
2008-09-03 10:54 . 1996-01-24 00:18 37,376 --a------ C:\WINDOWS\system32\ven2232.olb
2008-09-03 10:54 . 1996-01-05 10:45 35,088 --a------ C:\WINDOWS\system32\msjint32.dll
2008-09-03 10:53 . 2008-09-03 10:53 <DIR> d-------- C:\~ECSETUP.TMP
2008-09-03 10:53 . 2005-05-08 14:28 262,144 --a------ C:\WINDOWS\uninst.exe
2008-08-28 19:45 . 2008-08-28 19:47 <DIR> d-------- C:\Documents and Settings\Bob Desroches\Shared
2008-08-28 19:45 . 2008-08-28 19:45 <DIR> d-------- C:\Documents and Settings\Bob Desroches\Incomplete
2008-08-28 19:44 . 2008-08-28 19:44 <DIR> d-------- C:\Program Files\WinMX Music
2008-08-28 19:44 . 2008-08-28 19:44 <DIR> d-------- C:\Program Files\P2P_Energy
2008-08-28 19:44 . 2008-08-28 19:44 <DIR> d-------- C:\Program Files\Conduit
2008-08-28 19:44 . 2008-08-28 19:45 <DIR> d-------- C:\Documents and Settings\Bob Desroches\Application Data\WinMX Music
2008-08-26 10:09 . 2008-08-26 10:42 <DIR> d-------- C:\VundoFix Backups
2008-08-26 10:07 . 2008-08-26 10:07 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-25 19:19 . 2008-08-25 19:19 16,244 --a------ C:\WINDOWS\system32\rrt_is.wav
2008-08-25 19:19 . 2008-08-25 19:19 7,302 --a------ C:\WINDOWS\system32\rrt_vf.wav
2008-08-25 19:19 . 2008-08-25 19:19 7,148 --a------ C:\WINDOWS\system32\rrt_tv.wav
2008-08-25 19:19 . 2008-08-25 19:19 6,282 --a------ C:\WINDOWS\system32\rrt_tn.wav
2008-08-25 17:47 . 2008-08-25 17:48 <DIR> d-------- C:\Program Files\Free Easy Burner
2008-08-25 17:47 . 2005-06-01 12:15 966,144 --a------ C:\WINDOWS\system32\AudioInfos.dll
2008-08-25 17:47 . 2006-11-18 12:38 200,704 --a------ C:\WINDOWS\system32\vbalExpBar6.ocx
2008-08-25 17:47 . 1998-07-12 23:00 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL
2008-08-25 17:47 . 2000-10-01 19:00 119,568 --a------ C:\WINDOWS\system32\VB6FR.DLL
2008-08-25 17:47 . 2005-01-10 13:54 116,296 --a------ C:\WINDOWS\system32\NCTWMAProfiles.prx
2008-08-25 17:47 . 2000-05-22 15:58 115,920 --a------ C:\WINDOWS\system32\msinet.OCX
2008-08-25 17:47 . 2003-04-18 16:29 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-08-25 17:47 . 2003-01-26 13:41 40,960 --a------ C:\WINDOWS\system32\SSubTmr6.dll
2008-08-25 17:47 . 1998-07-12 19:00 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL
2008-08-25 17:47 . 1998-07-12 23:00 15,360 --a------ C:\WINDOWS\system32\inetfr.DLL
2008-08-25 17:41 . 2008-08-25 20:15 <DIR> d-------- C:\Program Files\RegScrubXP
2008-08-25 06:49 . 2008-08-25 11:11 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-25 06:49 . 2008-08-25 06:49 <DIR> d-------- C:\Documents and Settings\Bob Desroches\Application Data\SUPERAntiSpyware.com
2008-08-25 06:49 . 2008-08-25 06:49 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-08-24 16:01 . 2008-09-05 19:11 <DIR> d-------- C:\Documents and Settings\Administrator.BOB
2008-08-23 16:40 . 2008-08-23 16:41 <DIR> d-------- C:\Program Files\Treasure Masters Inc
2008-08-22 22:45 . 2008-08-22 22:45 <DIR> d-------- C:\WINDOWS\system32\VirtualExpander
2008-08-22 22:22 . 2008-08-22 22:23 <DIR> d-------- C:\Documents and Settings\Bob Desroches\Application Data\TMInc
2008-08-20 14:26 . 2008-08-20 14:26 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-20 14:26 . 2008-08-20 14:26 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-20 14:26 . 2008-08-20 14:26 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-20 14:26 . 2008-08-20 14:26 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-20 14:22 . 2008-08-20 14:26 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-20 14:14 . 2008-08-20 14:14 <DIR> d-------- C:\WINDOWS\EHome
2008-08-18 19:10 . 2008-04-13 19:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-08-17 08:30 . 2008-08-17 08:30 37 --a------ C:\WINDOWS\Viewer.ini
2008-08-16 23:28 . 2008-08-16 23:33 <DIR> d-------- C:\Documents and Settings\Bob Desroches\Application Data\Ancient Quest of Saqqarah__spin
2008-08-16 23:12 . 2008-08-16 23:12 <DIR> d-------- C:\Documents and Settings\Bob Desroches\Application Data\SpinTop
2008-08-16 12:39 . 2008-09-03 10:53 18,640 --a------ C:\WINDOWS\ecsetup.ini
2008-08-16 12:38 . 2008-09-03 10:53 303 --a------ C:\WINDOWS\EASYC.INI
2008-08-16 12:37 . 2008-08-16 12:37 <DIR> d-------- C:\Program Files\GameHouse
2008-08-16 12:37 . 2008-08-16 12:37 <DIR> d-------- C:\Documents and Settings\Bob Desroches\Application Data\GameHouse
2008-08-16 12:37 . 2008-08-16 12:37 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\n7-89-o9-3r-4t-r9
2008-08-16 09:31 . 2008-08-16 09:31 <DIR> d-------- C:\Program Files\iTunes
2008-08-13 11:19 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-06 16:04 --------- d-----w C:\Program Files\!!!el Quest III
2008-09-03 18:37 --------- d-----w C:\Documents and Settings\Bob Desroches\Application Data\uTorrent
2008-09-03 15:06 3,350 --sha-w C:\Documents and Settings\All Users.WINDOWS\Application Data\KGyGaAvL.sys
2008-09-02 15:25 88 --sh--r C:\Documents and Settings\All Users.WINDOWS\Application Data\31CBCDF061.sys
2008-08-28 15:39 --------- d-----w C:\Program Files\WinMX
2008-08-28 04:12 --------- d-----w C:\Program Files\ListMaker
2008-08-27 01:07 --------- d-----w C:\Program Files\Common Files\Panda Software
2008-08-25 22:29 --------- d-----w C:\Program Files\Acoustica MP3 CD Burner
2008-08-25 14:05 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-08-25 13:18 --------- d-----w C:\Documents and Settings\Bob Desroches\Application Data\Apple Computer
2008-08-25 11:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-21 16:55 --------- d-----w C:\Program Files\dvdSanta
2008-08-19 17:57 --------- d-----w C:\Documents and Settings\Bob Desroches\Application Data\Vso
2008-08-16 14:34 --------- d-----w C:\Program Files\Apple Software Update
2008-08-16 14:31 --------- d-----w C:\Program Files\iPod
2008-08-16 14:30 --------- d-----w C:\Program Files\QuickTime
2008-08-16 13:53 --------- d-----w C:\Program Files\Safari
2008-08-16 05:15 --------- d-----w C:\Program Files\RealArcade
2008-08-07 01:51 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-08-07 01:51 249,856 ------w C:\WINDOWS\Setup1.exe
2008-08-06 22:14 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-08-06 18:41 --------- d-----w C:\Documents and Settings\Bob Desroches\Application Data\AVSMedia
2008-08-06 15:41 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AVS4YOU
2008-08-06 15:39 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-07-30 14:07 --------- d-----w C:\Documents and Settings\Bob Desroches\Application Data\iWin
2008-07-23 01:32 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-06-20 15:21 0 ----a-w C:\Program Files\temp01
2008-04-20 16:13 47,360 ----a-w C:\Documents and Settings\Bob Desroches\Application Data\pcouffin.sys
2006-06-19 20:57 284 -c--a-w C:\Documents and Settings\USER\Application Data\ViewerApp.dat
2005-11-26 17:11 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
2005-08-07 17:32 178 -c-ha-w C:\Documents and Settings\USER\Application Data\hpothb07.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{2bae58c2-79f9-45d1-a286-81f911301c3a}"= "C:\Program Files\P2P_Energy\tbP2P_.dll" [2008-07-27 1606680]

[HKEY_CLASSES_ROOT\clsid\{2bae58c2-79f9-45d1-a286-81f911301c3a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2bae58c2-79f9-45d1-a286-81f911301c3a}]
2008-07-27 21:11 1606680 --a------ C:\Program Files\P2P_Energy\tbP2P_.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2bae58c2-79f9-45d1-a286-81f911301c3a}"= "C:\Program Files\P2P_Energy\tbP2P_.dll" [2008-07-27 1606680]

[HKEY_CLASSES_ROOT\clsid\{2bae58c2-79f9-45d1-a286-81f911301c3a}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-06 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 1576176]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"QuickFinder Scheduler"="c:\Program Files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE" [2008-03-21 83232]
"Nitro PDF Printer Monitor"="C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2008-03-05 210224]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-11 185632]
"VTTimer"="VTTimer.exe" [2003-08-19 C:\WINDOWS\system32\VTTimer.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 C:\WINDOWS\SOUNDMAN.EXE]

C:\Documents and Settings\Bob Desroches\Start Menu\Programs\Startup\
Event Minder Reminders.lnk - C:\HALLMARK\EMREMIND.EXE [2008-08-17 6240]
VirtualExpander.lnk - C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe [2008-08-22 474808]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\DivX\\DivX Converter\\Converter.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Documents and Settings\\Bob Desroches\\Desktop\\WinMX.exe"=
"C:\\Documents and Settings\\Bob Desroches\\Desktop\\winmx354beta4\\WinMX.exe"=
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"86:TCP"= 86:TCP:BroadCam Web Server

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 PSI_SVC_2;Protexis Licensing V2;c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 185632]
S3 bepldr;BCL easyPDF SDK 5 Loader;C:\Program Files\Common Files\BCL Technologies\NitroPDF5\bepldr.exe [2007-11-15 151552]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0cb5e0d-72f4-11dd-9147-00110984f3f6}]
\Shell\AutoRun\command - F:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{E4000AC4-5E5F-4956-807A-C5854405D64F} - %SystemRoot%\system32\VirtualExpander\VEShellExt.dll
HKLM-Run-Antivirus - C:\Program Files\MSA\MSA.exe
HKLM-Explorer_Run-msoffice - C:\DOCUME~1\BOBDES~1\LOCALS~1\Temp\version.exe
SSODL-rqbmvpso-{6D654746-CC72-4002-B469-3ABD7DEF7777} - (no file)
Notify-avldr - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Bob Desroches\Application Data\Mozilla\Firefox\Profiles\brphkwv8.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-09 02:10:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\VirtualExpander\VEShellExt.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-09-09 2:18:28 - machine was rebooted [Bob Desroches]
ComboFix-quarantined-files.txt 2008-09-09 07:18:21

Pre-Run: 53,189,578,752 bytes free
Post-Run: 53,883,924,480 bytes free

236 --- E O F --- 2008-08-22 08:01:28
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 13594
  		   Posted 9-9-2008 12:12 (GMT +1)    Quote: Help spyware tojan problemsAlert an admin about: Help spyware tojan problems
Looks clean smile
 
 
How are things running now ?

Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.

Back to Top
 

tdrndm
New Member


Date Joined Sep 2008
Total Posts : 4
  		   Posted 9-9-2008 2:12 (GMT +1)    Quote: Help spyware tojan problemsAlert an admin about: Help spyware tojan problems
Looks great!! Thanks again. It is a friend's computer - almost ended friendship :-). The only thing I am unable to check right now is the internet connection (they have a different service provider). Running smooth and fast! A huge thank you!!
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 13594
  		   Posted 9-9-2008 2:24 (GMT +1)    Quote: Help spyware tojan problemsAlert an admin about: Help spyware tojan problems
Sounds good smile
 
 
To completely and immediately remove any infected file or files in the data store, turn off and then turn on System Restore. To do so, follow these steps:
System Restore
 
 
Uninstall ComboFix

Go to Start->Run, and type in ComboFix /u
Make sure there is a space between ComboFix and /u
Click Enter

This will ->
Uninstall ComboFix. Delete its related folders and files.
Reset your clock settings. Hide file extensions.
Hide the system/hidden files. And resets System Restore again.
 
 
Since this issue appears resolved ... this Topic is closed.
If you would like it to be reopened please contact Me.


Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.

Back to Top
 
New Topic Locked Topic Printable version of : Help spyware tojan problems
 
Forum Information
Currently it is Thursday, November 20, 2008 4:20 PM (GMT +1)
There are a total of 63.932 posts in 15.821 threads.
In the last 3 days there were 33 new threads and 155 reply posts. View Active Threads
Who's Online
This forum has 27176 registered members. Please welcome our newest member, scottflanders.
51 Guest(s), 1 Registered Member(s) are currently online.  Details
james115511
5 Latest Threads
Performance dive (8)20-11-2008 13:25:02 (Mort)
Malware.Trace / Trojan.Vundo - PLEASE HELP CAN'T REMOVE!! (3)20-11-2008 12:19:34 (Touch)
Win 32-trojan-gen (13)20-11-2008 12:16:45 (Touch)
Generic.PWS.WoW.B7078E0 (12)20-11-2008 11:22:12 (Behram)
What's wrong with my computer? (5)20-11-2008 10:59:30 (Touch)


Need Support? Write to: | Forum Help Manual

Download free trial version of Bullguard